On my firewall machines the nft ruleset contains tables I created (using a systemd unit similar to Debian's nftables.service unit) and also tables created by Tailscale. When reloading my own rules, I'd like to be able to use 'nft --check' to validate the candidate rules before attempting to apply them, in case a failed application would leave the firewall more open than it should be. However, I can't do that at the moment because '--check' assumes that the commands supplied to it are being applied to an 'empty' environment, or something similar to that. Normally this would be solved by including 'flush ruleset' in the rules file passed to '--check', but I can't do that because it would flush the Tailscale tables too. I've tried using 'flush table <table>' commands in the rules file, and that works as long as the rules have been previously loaded (in tables with the same names). It fails at system startup though, because 'nft flush table <table>' fails with an error if the named table does not exist. I've got an ugly workaround at the moment but I'd like to avoid that. I think the simplest solution here would be to enhance 'nft flush table <table>' to not report an error if the table does not exist, since in the end that was almost the same goal as the command itself. Does this seem reasonable?
